当前位置:首页 > 报告详情

王昊与凯莱布·萨金特与哈里森·波默罗伊与雷纳娜·弗里德利希_进入收件箱新颖的电子邮件欺骗攻击模式.pdf

上传人: 张** 编号:175541 2024-09-13 73页 13.16MB

1、Into the Inbox:Novel Email Spoofing Attack PatternsSpeakers:Caleb Sargent&Hao Wang#BHUSA BlackHatEventsAbout UsCaleb Sargent(squared_)Offensive Security EngineerHao Wang(MrRed_Panda)Offensive Security Manager#BHUSA BlackHatEventsDisclaimerThe ideas,content,or opinions expressed in this presentation

2、are solely those of the author and do not reflect any endorsement or support by our employer.#BHUSA BlackHatEventsAgendaStory Time1Email Security Basics2Attack Patterns3Next Steps4Recommendations5#BHUSA BlackHatEventsEver been pranked?#BHUSA BlackHatEventsCrafting the ultimate Prank.#BHUSA BlackHatE

3、ventsFiguring out how to send an email#BHUSA BlackHatEventsTesting if this works#BHUSA BlackHatEventsDMARC all passes#BHUSA BlackHatEventsExecuting the prankAS SEEN INATTACK PATTERN 2#BHUSA BlackHatEventsThe Aftermath.#BHUSA BlackHatEventsStanding on the shoulders of giantsReference:https:/forum.def

4、con.org/node/245722Reference:https:/sec- Smuggling 37C3Millions of domains affectedTimo Longin from SEC ConsultSpamChannel DEFCON 31Two million domains affectedMarcello byt3bl33d3r Salvati#BHUSA BlackHatEventsSPF/DKIM/DMARCv SPFq Verify Sender IP based on TXT record of domain via MAIL FROM/HELOv DKI

5、Mq Verify email based on the added DKIM signaturev DMARCq Tell email receivers on how to handle unauthenticated emailsq Verify SPF or DKIM based on the domain passed via FROMq DMARC RFC 7489:Reference:https:/www.rfc-editor.org/rfc/rfc7489.htmlDMARCs filtering function is based on whether the RFC5322

6、.From field domain is aligned with(matches)an authenticated domain name from SPF or DKIM.#BHUSA BlackHatEventsHELO MAIL FROM:RCPT TO:EnvelopeDATAFROM:TO:Subject:Hello WorldDKIM-Signature:v1;d=;h=ContentMessageSample SMTP flowSPFDKIMDMARCVerify sender IP based onMAIL FROM or HELOVerify SPFORDKIM base

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要揭示了电子邮件安全中的一个广泛漏洞,影响了超过600万个高信誉域名。该漏洞涉及SPF、DKIM和DMARC的滥用,允许攻击者伪造发件人地址,发送 spoofed 电子邮件。研究指出,许多大型域名注册商和电子邮件服务提供商,如SendGrid和Mailgun,由于配置不当,成为了攻击的源头。此外,文章还介绍了SMTP Smuggling攻击,这是一种利用SMTP服务器间交互的漏洞,允许攻击者在邮件传输过程中插入恶意内容。 关键数据包括: - 受影响的600万个高信誉域名中,有40万个属于两个电子邮件和托管服务提供商。 - 在SMTP Smuggling攻击中,约130万个域名暴露在风险中。 - 文章中提到的漏洞(CVE-2024-7208和CVE-2024-7209)涉及到的电子邮件服务提供商包括Brevo和Mailgun,以及hosting providers如SendGrid和SparkPost。 为了解决这些问题,文章建议实施严格的电子邮件验证措施,包括DMARC、DKIM和SPF,并监控邮件消息ID,以检测异常的邮件发送模式。同时,邮件服务提供商应遵守RFC标准,防止未授权的邮件发送和验证邮件真实性。
如何防范?" 你的邮件安全吗?" 我该怎么做?"
客服
商务合作
小程序
服务号
折叠